azure-active-directorymicrosoft-graph-apipython-asyncio
Why is Interactive Browser Credential changing the scope I passed in?
I am trying to access my user info with Interactive Browser Credential, Graph Service Client, and asyncio.
I am passing in the default scope ('https://graph.microsoft.com/.default'), but getting an error that says my scope is invalid, only it is not the same scope as the one I passed in.
The browser pops up with this error: "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope . / : a c d e f g h i l m o offline_access openid p profile r s t u is not valid..." (emphasis added). Notice that the scope it is listing is not the one I provided.
Is something in my code altering the scope parameter before passing it into the Interactive Browser Credential?
from azure.identity import InteractiveBrowserCredential
from msgraph import GraphServiceClient
import asyncio
async def me():
credential = InteractiveBrowserCredential()
scopes = 'https://graph.microsoft.com/.default'
graph_client = GraphServiceClient(credential, scopes)
me = await graph_client.me.get()
if me:
print(me)
if __name__ == "__main__":
asyncio.run(me())
Solution
The browser pops up with this error: "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope . / : a c d e f g h i l m o offline_access openid p profile r s t u is not valid..." (emphasis added). Notice that the scope it is listing is not the one I provided.
I tried in my environment and got the below results:
Initially, I tried with your code and got the same error.
Error:
The above error occurs when you are not passing the scope in the correct format. The scope should be list format.
scopes = ['https://graph.microsoft.com/.default']
Code:
from azure.identity import InteractiveBrowserCredential
from msgraph import GraphServiceClient
import asyncio
async def me():
credential = InteractiveBrowserCredential()
scopes = ['https://graph.microsoft.com/.default']
graph_client = GraphServiceClient(credential, scopes)
me = await graph_client.me.get()
if me:
print(me)
if __name__ == "__main__":
asyncio.run(me())
Output:
User(additional_data={'@odata.context': 'https://graph.microsoft.com/v1.0/$metadata#users/$entity'}, id='xxxx', odata_type=None, deleted_date_time=None, about_me=None, account_enabled=None, activities=None, age_group=None, agreement_acceptances=None, app_role_assignments=None, assigned_licenses=None, assigned_plans=None, authentication=None, authorization_info=None, birthday=None, business_phones=[], calendar=None, calendar_groups=None, calendar_view=None, calendars=None, chats=None, city=None, company_name=None, consent_provided_for_minor=None, contact_folders=None, contacts=None, country=None, created_date_time=None, created_objects=None, creation_type=None, department=None, device_enrollment_limit=None, device_management_troubleshooting_events=None, direct_reports=None, display_name='xxxx', drive=None, drives=None, employee_hire_date=None, employee_id=None, employee_leave_date_time=None, employee_org_data=None, employee_type=None, events=None, extensions=None, external_user_state=None, external_user_state_change_date_time=None, fax_number=None, followed_sites=None, given_name='xxx', hire_date=None, identities=None, im_addresses=None, inference_classification=None, insights=None, interests=None, is_resource_account=None, job_title=None, joined_teams=None, last_password_change_date_time=None, legal_age_group_classification=None, license_assignment_states=None, license_details=None, mail='xxx', mail_folders=None, mail_nickname=None, mailbox_settings=None, managed_app_registrations=None, managed_devices=None, manager=None, member_of=None, messages=None, mobile_phone=None, my_site=None, oauth2_permission_grants=None, office_location='No WorkSpace', on_premises_distinguished_name=None, on_premises_domain_name=None, on_premises_extension_attributes=None, on_premises_immutable_id=None, on_premises_last_sync_date_time=None, on_premises_provisioning_errors=None, on_premises_sam_account_name=None, on_premises_security_identifier=None, on_premises_sync_enabled=None, on_premises_user_principal_name=None, onenote=None, online_meetings=None, other_mails=None, outlook=None, owned_devices=None, owned_objects=None, password_policies=None, password_profile=None, past_projects=None, people=None, photo=None, photos=None, planner=None, postal_code=None, preferred_data_location=None, preferred_language=None, preferred_name=None, presence=None, print=None, provisioned_plans=None, proxy_addresses=None, registered_devices=None, responsibilities=None, schools=None, scoped_role_member_of=None, security_identifier=None, settings=None, show_in_address_list=None, sign_in_activity=None, sign_in_sessions_valid_from_date_time=None, skills=None, state=None, street_address=None, surname='xxx', teamwork=None, todo=None, transitive_member_of=None, usage_location=None, user_principal_name='xxxx', user_type=None)
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?